Re: NSS test failure on armhf

[Marius Bakke]

Mark H Weaver <address@hidden> writes:

> Marius Bakke <address@hidden> writes:
>
>> Marius Bakke <address@hidden> writes:
>>
>>>>> It turns out that the bug fix in 3.30.1 is critical: it fixes
>>>>> CVE-2017-5461, a potential remote code execution vulnerability.  3.30.2
>>>>> has since been released, so I'm currently testing it and will push an
>>>>> update to it soon.  Any issues on armhf will need to be dealt with in
>>>>> another way.
>>>>
>>>> Mark,
>>>>
>>>> I checked this. The upstream 3.30 branch[0] contains a fix, but it was
>>>> not picked to the 3.30.2 release which only contains certificate
>>>> changes[1].
>>>>
>>>> Squashing these two commits into one should fix the problem (the first
>>>> fix was incomplete[2]):
>>>>
>>>> https://hg.mozilla.org/projects/nss/rev/802ec96a8dd1
>>>> https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7
>
> Good find, thank you!  Since seeing the above post, I prepared my own
> patches to update NSS to 3.30.2 and disable the long b64 tests.
>
> And now I see you've prepared your own patch that only updates to
> 3.30.1.  I'm not sure why we would consider rebuilding everything with
> 3.30.1 when 3.30.2 already exists, even if the only changes are to
> certs.
>
> I'll push this batch of patches soon, including fixes to graphite2 and
> the icecat update, after a bit more testing.

Great, thanks! I could not find any compelling reason to use the 3.30.2
tarball (other than disk space on builders), and found the version
"mismatch" with between 'nss-certs' and 'nss' more distinctive.

However, after diffing 3.30.1 and 3.30.2, it seems certificate changes
also bump the library version:

https://hg.mozilla.org/projects/nss/diff/dc97a4930479/lib/ckfw/builtins/nssckbi.h

So I guess we should keep updating these together to the extent possible.

signature.asc
Description: PGP signature